Abstract
To understand the principles needed to manage security in FPGA designs, this chapter presents lessons learned from the development of high assurance systems. These principles include risk assessment, threat models, policy enforcement, lifecycle management, assessment criteria, configuration control, and development environments.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
“Quis custodiet ipsos custodies?” (“Who guards the guardians?”)—Juvenal, Satires VI.347.
- 2.
For the purpose of this discussion, the two terms are considered to be equivalent.
- 3.
The term security functionality is based on the term TOE Security Functionality (TSF) which is defined in the CC as a set consisting of all hardware, software, and firmware of the TOE that must be relied upon for the correct enforcement of the security functional requirements [23].
- 4.
Where program could be a module, component, monolithic system, or distributed system.
References
S. Adee, The hunt for the kill switch. IEEE Spectrum 45(5), 34–39 (2008)
P. Ammann, R.S. Sandhu, The extended schematic protection model. J. Comput. Secur. 1(3, 4), 335–385 (1992)
J.P. Anderson, Computer security technology planning study. Tech. Rep. ESD-TR-73-51, Air Force Electronic Systems Division, Hanscom AFB, Bedford, MA, 1972. Also available as vol. I, DITCAD-758206. Vol. II, DITCAD-772806
E.A. Anderson, C.E. Irvine, R.R. Schell, Subversion as a threat in information warfare. J. Inf. Warfare 3(2), 52–65 (2004)
M.J. Bach, The Design of the UNIX Operating System (Prentice Hall, Inc., Englewood Cliffs, 1986)
T. Ball, E. Bounimova, B. Cook, V. Levin, J. Lichtenberg, C. McGarvey, B. Ondrusek, S.K.R. Jamani, A. Ustuner, Thorough static analysis of device drivers. SIGOPS Oper. Syst. Rev. 40(4), 73–85 (2006)
D.E. Bell, L. LaPadula, Secure computer system: unified exposition and multics interpretation. Tech. Rep. ESD-TR-75-306, MITRE Corp., Hanscom AFB, MA, 1975
D.E. Bell, L. LaPadula, Secure computer systems: mathematical foundations and model. Tech. Rep. M74-244, MITRE Corp., Bedford, MA, 1973
K.J. Biba, Integrity considerations for secure computer systems. Tech. Rep. ESD-TR-76-372, MITRE Corp., 1977
E.W. Bobert, On the inability of an unmodified capability machine to enforce the *-property, in Proceedings DoD/NBS Computer Security Conference, September 1984, pp. 291–293
G. Boolos, R. Jeffrey, Computability and Logic (Cambridge University Press, Cambridge, 1974)
CCEVS, Publication #4: guidance to CCEVS approved Common Criteria testing laboratories, version 2.0. National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme, September 2008
CCEVS, Publication #1: organization, management and concept of operations, version 2.0. National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme, September 2008
CCMB, Common Criteria for information technology security evaluation, revision 3.1, revision 1, no. CCMB-2006-09-001. Common Criteria Maintenance Board, September 2006
B.E. Chelf, S.A. Hallem, A.C. Chou, Systems and methods for performing static analysis on source code. US Patent 7,340,726, Coverity, Inc., 2008
H. Chen, D. Wagner, MOPS: an infrastructure for examining security properties of software, in Proc. 9th ACM Conf. Computer and Communications Security (CCS 02)
B. Chess, G. McGraw, Static analysis for security. IEEE Secur. Priv. 2, 76–79 (2004)
S. Christy, R.A. Martin, Vulnerability type distributions in CVE. http://cve.mitre.org/docs/vuln-trends/index.html, May 2007
J.P.A. Co, Computer security threat monitoring and surveillance. Tech. Rep., James P. Anderson Co., Fort Washington, PA 19034, February 1980
Committee on National Security Systems, NSTISSP no. 11, revised fact sheet. National Information Assurance Acquisition Policy, July 2003
Common Criteria Maintenance Board, Common Criteria for information technology security evaluation, part 3: security assurance components, version 2.3, CCMB-2005-08-003. Common Criteria Maintenance Board, August 2005
Common Criteria Development Board, The application of CC to integrated circuits, version 2.0, revision 1, CCDB-2006-04-003. Supporting document, mandatory technical document. Common Criteria Development Board, April 2006
Common Criteria Maintenance Board, Common Criteria for information technology security evaluation, part 1: introduction and general model, version 3.1, revision 1, CCMB-2006-09-001. Common Criteria Maintenance Board, September 2006
Common Criteria Maintenance Board, Common Criteria for information technology security evaluation, part 2: security functional components, version 3.1, revision 2, CCMB-2007-09-002. Common Criteria Maintenance Board, September 2007
Common Criteria Maintenance Board, Common Criteria for information technology security evaluation, part 3: security assurance components, version 3.1, revision 2, CCMB-2007-09-003. Common Criteria Maintenance Board, September 2007
Common Criteria Maintenance Board, Common Criteria for information technology security evaluation, evaluation methodology, version 3.1, revision 2, CCMB-2007-09-004. Common Criteria Maintenance Board, September 2007
M.A. Cusumano, Who is liable for bugs and security flaws in software? Commun. ACM 47, 25–27 (2004)
M. Das, S. Lerner, M. Seigle, ESP: path-sensitive program verification in polynomial time, in PLDI 02: Programming Language Design and Implementation, June 2002, pp. 57–68
P.J. Denning, Virtual memory. ACM Comput. Surv. 2(3), 153–189 (1970)
D.E. Denning, A lattice model of secure information flow. Commun. ACM 19(5), 236–243 (1976)
D.E. Denning, An intrusion-detection model. IEEE Trans. Softw. Eng. 13, 222–232 (1987)
J.B. Dennis, E.C.V. Horn, Programming semantics for multiprogrammed computations. Commun. ACM 9(3), 143–155 (1966)
DigitalNet Government Solutions, Security target version 1.7 for XTS-6.0.E, March 2004
P. Eggert, D. Cooper, S. Eckmann, J. Gingerich, S. Holtsberg, N. Kelem, R. Martin, FDM user guide. No. TM-8486/000/04, Reston, VA: Unisys Corporation, June 1992
European Commission, Biometrics at the frontiers: assessing the impact on society. Tech. Rep., European Commission Joint Research Center (DG JRC), Institute for Prospective Technological Studies, 2005
R. Fabry, Capability-based addressing. Commun. ACM 17, 403–412 (1974)
R. Fitzgerald, trans. Homer: The Odyssey (Vintage, New York, 1961)
L.J. Fraim, Scomp: a solution to the multilevel security problem. Computer 16, 26–34 (1983)
J. Goguen, J. Meseguer, Security policies and security models, in Proc. of 1982 IEEE Symposium on Security and Privacy, Oakland, CA (IEEE Comput. Soc., Los Alamitos, 1982), pp. 11–20
G.S. Graham, P.J. Denning, Protection—principles and practice, in Proceedings of the Spring Joint Computer Conference, May 1972, pp. 417–429
I. Hadzic, S. Udani, J. Smith. FPGA viruses, in Proceedings of the Ninth International Workshop on Field-Programmable Logic and Applications (FPL’99), Glasgow, UK, August 1999
M. Harrison, W. Ruzzo, J. Ullman, Protection in operating systems. Commun. ACM 19(8), 461–471 (1976)
J.L. Hennessy, D.A. Patterson, Computer Architecture: A Quantitative Approach, 4th edn. (Morgan Kaufmann, San Mateo, 2006)
C.A.R. Hoare, Communicating sequential processes. Commun. ACM 21(8), 666–677 (1978)
J. Horton, R. Harland, E. Ashby, R.H. Cooper, W.F. Hyslop, B. Nickerson, W.M. Stewart, O. Ward, The cascade vulnerability problem, in Proceedings IEEE Symposium on Research in Security and Privacy, Oakland, CA, May 1993, pp. 110–116
IAD (Information Assurance Directorate), US Government protection profile for separation kernels in environments requiring high robustness. National Information Assurance Partnership, version 1.03 edn., 29 June 2007
Intel, Intel 64 and IA32 architectures software developer’s manual, vol. 3A: system programming guide, part 1. Intel Corporation, Denver, CO, 253668-022us edn., November 2006
D. Jackson, Software Abstractions: Logic, Language, and Analysis (MIT Press, Cambridge, 2006)
A.K. Jain, S. Pankanti, S. Prabhakar, L. Hong, A. Ross, J.L. Wayman, Biometrics: a grand challenge, in Proceedings of the 17th International Conference on Pattern Recognition, August 2004, pp. 935–942
M.J. Kaminskas, Risk Assessment/Risk Management. Building Design for Homeland Security, vol. 5. FEMA, Risk Management Series ed. (2007). http://www.fema.gov/library/viewRecord.do?id=1939
P.A. Karger, Improving security performance for capability systems. Ph.D. thesis, University of Cambridge, Cambridge, England, 1988
P. Karger, A.J. Herbert, An augmented capability architecture to support lattice security and traceability of access, in Proceedings 1984 IEEE Symposium on Security and Privacy, Oakland, CA (IEEE Comput. Soc., Los Alamitos, 1984), pp. 2–12
P.A. Karger, R.R. Schell, Multics security evaluation: vulnerability analysis. Tech. Rep. ESD-TR-74-193, vol. II, HQ Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bedford, MA 01731, June 1974
M. Kaufmann, J. Moore, An industrial strength theorem prover for a logic based on common Lisp. IEEE Trans. Softw. Eng. 23(4), 203–213 (1997)
G.H. Kim, E.H. Spafford, The design and implementation of Tripwire: a file system integrity checker, in Proceedings of the 2nd ACM Conference on Computing and Communications Security (CCS), Fairfax, VA, November 1994
P. Kocher, Timing attacks on implementations of Diffie-Hellman, RSA, DSS and other systems, in Proceedings of the 16th Annual International Cryptology Conference (CRYPTO), Santa Barbara, CA, August 1996
M. Kurdziel, J. Fitton, Baseline requirements for government and military encryption algorithms, in MILCOM, vol. 2, Oct. 2002, pp. 1491–1497
L. Lack, Using the bootstrap concept to build an adaptable and compact subversion artifice. Master’s thesis, Naval Postgraduate School, Monterey, CA, June 2003
B.W. Lampson, Protection, in Proc. 5th Princeton Conf. on Information Sciences and Systems, Princeton, NJ, 1971
B.W. Lampson, A note on the confinement problem. Commun. ACM 16(10), 613–615 (1973)
C.E. Landwehr, Formal models for computer security. ACM Comput. Surv. 13(3), 247–278 (1981)
K. Lee, L. Sha, Process resurrection: a fast recovery mechanism for real-time embedded systems, in Proceedings of 11th IEEE Real Time and Embedded Technology and Applications Symposium 2005 (RTAS 2005), March 2005, pp. 292–301
T.E. Levin, C.E. Irvine, T.D. Nguyen, Least privilege in separation kernels, in E-business and Telecommunication Networks; Third International Conference, ed. by J. Filipe, M.S. Obaidat. ICETE 2006, Set’ubal, Portugal, 7–10 August 2006. Communications in Computer and Information Science, vol. 9 (Springer, Berlin, 2008)
T.E. Levin, C.E. Irvine, C. Weissman, T.D. Nguyen, Analysis of three multilevel security architectures, in Proceedings 1st Computer Security Architecture Workshop, Fairfax, VA, November 2007, pp. 37–46
H.M. Levy, Capability-based Computer Systems (Digital Press, Bedford, 1984)
S. Lipner, The trustworthy computing security development lifecycle, in Proceedings 20th Annual Computer Security Applications Conference (IEEE Comput. Soc., Los Alamitos, 2004), pp. 2–13
Lockheed-Martin/The Open Group, Protection Profile for PKS in environments requiring high robustness. Draft Version 1.3, submittal for NSA approval, 09 June 2003. http://www.csds.uidaho.edu/pp/PKPP1_3.pdf. Last accessed: 15 March 2009
T.F. Lunt, Access control policies: some unanswered questions. Comput. Secur. 8, 43–54 (1989)
T.F. Lunt, P.G. Neumann, D.E. Denning, R.R. Schell, M. Heckman, W.R. Shockley, Secure distributed data views security policy and interpretation for DMBS for a Class A1 DBMS. Tech. Rep. RADC-TR-89-313, vol. I, Rome Air Development Center, Griffiss, Air Force Base, NY, December 1989
J. McLean, Security models and information flow, in Proceedings of the IEEE Symposium on Security and Privacy (IEEE Comput. Soc., Los Alamitos, 1990), pp. 180–189
J. Millen, The cascading problem for interconnected networks, in Fourth Aerospace Computer Security Applications Conference, 1988, pp. 269–273
J. Murray, An exfiltration subversion demonstration. Master’s thesis, Naval Postgraduate School, Monterey, CA, June 2003
S. Myagmar, A. Lee, W. Yurcik, Threat modeling as a basis for security requirements, in Proc. Symp. Requirements Engineering for Information Security (SREIS 05), 2005
P. Myers, Subversion: the neglected aspect of computer security. M.S. thesis, Naval Postgraduate School, Monterey, CA, 1980
National Computer Security Center, Trusted network interpretation of the trusted computer system evaluation criteria, NCSC-TG-005, July 1987
National Computer Security Center, A guide to understanding object reuse in trusted systems. Tech. Rep. NCSC TG-018, National Computer Security Center, Fort George G. Meade, MD, 1991
E.I. Organick, The Multics System: An Examination of Its Structure (MIT Press, Cambridge, 1972)
L.C. Paulson, Isabelle: A Generic Theorem Prover. LNCS, vol. 828 (Springer, Berlin, 1994)
V. Paxon, Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999)
D. Redell, R. Fabry, Selective Revocation of Capabilities, International Workshop on Protection in Operating Systems, IRIA, 1974
D. Rogers, A framework for dynamic subversion. Master’s thesis, Naval Postgraduate School, Monterey, CA, June 2003
A. Roscoe, CSP and determinism in security modelling, in Proceedings of the IEEE Symposium on Security and Privacy (IEEE Comput. Soc., Los Alamitos, 1995), pp. 114–127
J. Rushby, Design and verification of secure systems. ACM SIGOPS Operating Systems Review, vol. 15, December 1981, p. 12
J. Rushby, S. Owre, N. Shankar, Subtypes for specifications: predicate subtyping in PVS. IEEE Trans. Softw. Eng. 24(9), 709–720 (1998)
J.H. Saltzer, M.D. Schroeder, The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)
R. Sandu, Analysis of acyclic attenuating systems for the SSR protection model, in Proceedings of the 1985 IEEE Symposium on Security and Privacy, April 1985, pp. 197–206
R.S. Sandhu, The schematic protection model: its definition and analysis for acyclic attenuating schemes. J. ACM 35, 404–432 (1988)
R.R. Schell, P.J. Downey, G.J. Popek, Preliminary notes on the design of secure military computer systems. Tech. Rep. MCI-73-1, Electronic Systems Division, Air Force Systems Command, Hanscom AFB, Bedford, MA, 73
R. Schell, T.F. Tao, M. Heckman, Designing the GEMSOS security kernel for security and performance, in Proceedings 8th DoD/NBS Computer Security Conference, 1985, pp. 108–119
D.D. Schnackenberg, Development of a multilevel secure local area network, in Proceedings of the 8th National Computer Security Conference, October 1985, pp. 97–101
M.D. Schroeder, J.H. Saltzer, A hardware architecture for implementing protection rings. Commun. ACM 15(3), 157–170 (1972)
J.S. Shapiro, J.M. Smith, D.J. Farber, EROS: a fast capability system, in SOSP’99: Proceedings of the Seventeenth ACM Symposium on Operating Systems Principles (ACM, New York, 1999), pp. 170–185
L.J. Shirley, R.R. Schell, Mechanism sufficiency validation by assignment, in Proceedings 1981 IEEE Symposium on Security and Privacy, Oakland (IEEE Comput. Soc., Los Alamitos, 1981), pp. 26–32
W.R. Shockley, R.R. Schell, TCB subsets for incremental evaluation, in Proceedings Third AIAA Conference on Computer Security, December 1987, pp. 131–139
A. Silberschatz, P.B. Galvin, G. Gagne, Operating System Concepts, 7th edn. (Wiley, New York, 2005)
Snort.org, Snort. http://www.snort.org/, last referenced 22 March 2009
Specware 4.2 Manual, Kestrel Technology, http://www.specware.org/documentation/4.2/languagemanual/SpecwareLanguageManual.pdf, 3 November 2008
J.M. Spivey, Understanding Z: A Specification Language and Its Formal Semantics (Cambridge University Press, Cambridge, 1988)
D.F. Sterne, On the buzzword “security policy”, in Proceedings of the IEEE Symposium on Research on Security and Privacy, Oakland, CA (IEEE Comput. Soc., Los Alamitos, 1991), pp. 219–230
The Easter Egg Archive, Excel Easter Egg—Excel 97 flight to credits. http://www.eeggs.com/items/718.html, last accessed 19 February 2009
K. Thompson, Reflections on trusting trust. Commun. ACM 27(8), 761–763 (1984)
S. Trimberger, Trusted design in FPGAs, in Proceedings of the 44th Design Automation Conference, San Diego, CA, June 2007
US Department of Commerce and Communications Security Establishment of the Government of Canada, Implementation guidance for FIPS PUB 140-2 and the cryptographic module validation program, initial release: 28 March 2003, last update: 10 March 2009. National Institute of Standards and Technology, Gaithersburg, MD, March 2009
US Department of Commerce, Security requirements for cryptographic modules, Federal Information Processing Standards Publication 140-2. National Institute of Standards and Technology, Gaithersburg, MD, May 2001
US Department of Commerce, Standards for security categorization of federal information and information systems, Federal Information Processing Standards Publication 199. National Institute of Standards and Technology, Gaithersburg, MD, February 2004
US Department of Commerce, Recommended security controls for federal information systems, NIST Special Publication 800-53 Revision 2. National Institute of Standards and Technology, Gaithersburg, MD, December 2007
US Department of Commerce, Security requirements for cryptographic modules, Federal Information Processing Standards Publication 140-3 (Draft: 07-13-2007). National Institute of Standards and Technology, Gaithersburg, MD, July 2007
US Department of Commerce, Security considerations in the system development life cycle, NIST Special Publication 800-64 Revision 2. National Institute of Standards and Technology, Gaithersburg, MD, October 2008
US Department of Commerce, Derived test requirements for FIPS PUB 140-2, Security requirements for cryptographic modules, 24 March 2004, Draft, CMVP program staff (NIST, CSE and CMVP laboratories). National Institute of Standards and Technology, Gaithersburg, MD. http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/fips1402DTR.pdf. Cited 7 April 2009
US Department of Defense, Trusted computer systems evaluation criteria (Orange Book) 5200.28-STD. National Computer Security Center, Fort Meade, MD, Dec. 1985
US Department of Defense, A guide to understanding trusted distribution in trusted systems, version 2, NCSC-TG-008. National Computer Security Center, Fort Meade, MD, December 1988
US Department of Defense, A guide to understanding trusted recovery in trusted systems, version 1, NCSC-TG-022. National Computer Security Center, Fort Meade, MD, December 1991
US Department of Defense, Defense Science Board task force on high performance microchip supply. Office of the Under Secretary of Defense For Acquisition, Technology, and Logistics, Washington, DC, February 2005
US Department of Defense, TRUST in integrated circuits, presolicitation notice, solicitation number: BAA07-24. Defense Advanced Research Project Agency, Microsystems Technology Office, Arlington, VA, March 2007. http://www.darpa.mil/mto/solicitations/baa07-24/index.html, cited 27 Mar 2009
D. Volpano, C. Irvine, Secure flow typing. Comput. Secur. 16(2), 137–144 (1997)
D.R. Wichers, Conducting an object reuse study, in Proceedings of the 13th National Computer Security Conference, October 1990, pp. 738–747
M.V. Wilkes, R.M. Needham, The Cambridge model distributed system. ACM SIGOPS Oper. Syst. Rev. 14(1), 21–29 (1980)
E. Witchel, J. Cates, K. Asanovic, Mondrian memory protection, in Tenth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS-X), San Jose, CA, October 2002
C. Zymaris, A comparison of the GPL and the Microsoft EULA. 2003. Cybersource. Retrieved 15 September 2008, from http://www.cybersource.com.au/cyber/about/comparing_the_gpl_to_eula.pdf
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2010 Springer Science+Business Media B.V.
About this chapter
Cite this chapter
Huffmire, T., Irvine, C., Nguyen, T.D., Levin, T., Kastner, R., Sherwood, T. (2010). High Assurance Software Lessons and Techniques. In: Handbook of FPGA Design Security. Springer, Dordrecht. https://doi.org/10.1007/978-90-481-9157-4_2
Download citation
DOI: https://doi.org/10.1007/978-90-481-9157-4_2
Publisher Name: Springer, Dordrecht
Print ISBN: 978-90-481-9156-7
Online ISBN: 978-90-481-9157-4
eBook Packages: EngineeringEngineering (R0)